Crypto breakthrough shows Flame was designed by world-class scientists

The spy malware achieved an attack unlike any cryptographers have seen before.

Enlarge / An overview of a chosen-prefix collision. A similar technique was used by the Flame espionage malware that targeted Iran. The scientific novelty of the malware underscored the sophistication of malware sponsored by wealthy nation states.

The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said.

"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," Marc Stevens wrote in an e-mail posted to a cryptography discussion group earlier this week. "The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications." Benne de Weger, a Stevens colleague and another expert in cryptographic collision attacks who was briefed on the findings, concurred.

"Collision" attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn't until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Weger, of the Technische Universiteit Eindhoven were two of the seven driving forces behind the research that made that 2008 attack possible.

Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

According to Stevens and de Weger, the collision attack performed by Flame has substantial scientific novelty. They arrived at that conclusion after Stevens used a custom-designed forensic tool he developed to detect and analyze hash collisions.

"More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant," Stevens wrote in a statement distributed on Thursday. "This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis. Further research will be conducted to reconstruct the entire chosen-prefix collision attack devised for Flame."

The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state. Stevens' and de Weger's conclusion means that, in addition to a team of engineers who developed a global malware platform that escaped detection for at least two years, Flame also required world-class cryptographers who have broken new ground in their field.

"It's not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "There were mathematicians doing new science to make Flame work."

This article was updated at 11:01 am PDT on June 10 to clarify Stevens' and de Weger's roles and to change language in the 5th paragraph.

None of this is surprising. I would guess that if the NSA or CIA approached every newly minted PhD mathematician or computer scientist with an offer of $250k per year for the opportunity to design and implement cutting-edge malware they'd have no shortage of people to design this stuff.

it is publicly know that Obama has approved such attacks in conjunction with Israel to ramp up cyber attacks on Iran and I would not be surprised if this was part of it. Cyberattacks are part of the 'cold war' arsenal now.

"The Flame espionage malware that infected computers in Iran achieved mathematics breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said."

Isn't this a small group of people that both of these experts belong to? Exactly how many "world-class cryptograpers" exist. Could be these two guys that did it and are pulling the wool over everyone's eyes.

I have a feeling you will start to see more Linux and Mac users popping up in the middle east. Before the flaming starts, yes those OS systems can be exploited too, but they sound much more secure than Windows does right now, at least in the middle east.

"The Flame espionage malware that infected computers in Iran achieved mathematics breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said."

Isn't this a small group of people that both of these experts belong to? Exactly how many "world-class cryptograpers" exist. Could be these two guys that did it and are pulling the wool over everyone's eyes.

Guy 1: OMG, this new vector for crypto attacks is genius.Guy 2: Yeah, it's incredible. Only the two smartest guys in the world could have come up with this stuff.Guy 1: You mean the smartest and most awesome guys.Guy 2: Yeah, that's what I meant. Also, the best looking.

Should I be worried that this month's single Window's patch was a fake?

No, that was an out of band release to revoke the compromised CA. Patch Tuesday is next week.

cromination wrote:

I have a feeling you will start to see more Linux and Mac users popping up in the middle east. Before the flaming starts, yes those OS systems can be exploited too, but they sound much more secure than Windows does right now, at least in the middle east.

This was the work of an extremely high skill group, backed by possibly massive resources, with a very specific target. There's not much doubt they could break any network attached system they were tasked to attack.

I'll use Ubuntu, as it's what I'm most familiar with:1. Gain access to system2. Add new GPG key for updates3. Add new repository to sources.list4. Have repository host an 'updated' version of apt and update-manager; remove repository from sources.list5. 'Updated' apt and update-manager have the malicious repository hard coded in so it doesn't need to be in sources.list, and will give it priority.

I haven't the faintest idea what methods they would use, but there's a logical breakdown of one way a similar attack on a Linux (Debian/Ubuntu) system could work and exploit the update system.

None of this is surprising. I would guess that if the NSA or CIA approached every newly minted PhD mathematician or computer scientist with an offer of $250k per year for the opportunity to design and implement cutting-edge malware they'd have no shortage of people to design this stuff.

Most of them make far less. But they play with some of the coolest toys.

Should I be worried that this month's single Window's patch was a fake?

No, that was an out of band release to revoke the compromised CA. Patch Tuesday is next week.

Whew! Thanks!

In fact, here's a link to the specific patch they released: http://support.microsoft.com/kb/2718704If that wasn't what got installed (or a definition update for MSSE, if you use that), then check your update history and verify the KB numbers against Microsoft's site.

"The Flame espionage malware that infected computers in Iran achieved mathematics breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said."

Isn't this a small group of people that both of these experts belong to? Exactly how many "world-class cryptograpers" exist. Could be these two guys that did it and are pulling the wool over everyone's eyes.

Guy 1: OMG, this new vector for crypto attacks is genius.Guy 2: Yeah, it's incredible. Only the two smartest guys in the world could have come up with this stuff.Guy 1: You mean the smartest and most awesome guys.Guy 2: Yeah, that's what I meant. Also, the best looking.

I think it's pretty funny that people are just now realizing there's been a full scale cyber world war going on for the last decade. The people working on this stuff must have giggled themselves to death watching all the action/espionage movies where people dismissed the hacking as completely unrealistic and ridiculous, while they were actually doing more impressive stuff.

"The Flame espionage malware that infected computers in Iran achieved mathematics breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said."

Isn't this a small group of people that both of these experts belong to? Exactly how many "world-class cryptograpers" exist. Could be these two guys that did it and are pulling the wool over everyone's eyes.

No, it's just that these guys didn't come up with it so they think it must have been written by a large team of the most brilliant professional programmers who've ever lived. Imagine what it will do to their egos when they discover it was written over a weekend by a 14 year old girl who's fascinated by secret codes.

I have a feeling you will start to see more Linux and Mac users popping up in the middle east. Before the flaming starts, yes those OS systems can be exploited too, but they sound much more secure than Windows does right now, at least in the middle east.

I mean, when people are coming up with entirely new science to hack into you, you aren't going to be safe pretty much whatever OS you use.

I mean, it actually makes me feel a little better about MS, when it comes right down to it.

"The Flame espionage malware that infected computers in Iran achieved mathematics breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said."

Isn't this a small group of people that both of these experts belong to? Exactly how many "world-class cryptograpers" exist. Could be these two guys that did it and are pulling the wool over everyone's eyes.

Guy 1: OMG, this new vector for crypto attacks is genius.Guy 2: Yeah, it's incredible. Only the two smartest guys in the world could have come up with this stuff.Guy 1: You mean the smartest and most awesome guys.Guy 2: Yeah, that's what I meant. Also, the best looking.

This was the work of an extremely high skill group, backed by possibly massive resources, with a very specific target. There's not much doubt they could break any network attached system they were tasked to attack.

I'll use Ubuntu, as it's what I'm most familiar with:1. Gain access to system2. Add new GPG key for updates3. Add new repository to sources.list4. Have repository host an 'updated' version of apt and update-manager; remove repository from sources.list5. 'Updated' apt and update-manager have the malicious repository hard coded in so it doesn't need to be in sources.list, and will give it priority.

I haven't the faintest idea what methods they would use, but there's a logical breakdown of one way a similar attack on a Linux (Debian/Ubuntu) system could work and exploit the update system.

I pointed this out in one of the other threads, this won't work the same way because you have to subvert the update mechanism as a *prerequisite* to your step 1. Yes it's theoretically possible to subvert apt/yum/etc, but there just aren't any software components floating around in the Linux ecosystem that have the authority to issue a certificate like terminal server did in this case, you'd have to attack the Canonical, Debian, or Red Hat packaging certificate directly instead of using an exploit of what should be an unrelated piece of software.

I'm not saying there are no vulnerabilities in a modern Linux system, the Avahi and DBUS stuff makes me kind of nervous, but I do believe the attack surface is much, much smaller on Linux.

it is publicly know that Obama has approved such attacks in conjunction with Israel to ramp up cyber attacks on Iran and I would not be surprised if this was part of it. Cyberattacks are part of the 'cold war' arsenal now.

From what I have read, and of course none of what has been said at all has been considered "official" even if we know it is, these attacks were basically appeasments to Israel by the US. Israel was just going to all out attack Iran's nuke facilities with bombs and missiles, so we offered an alternative approach that would be silent and embarrassing for Iran. Of course it isn't so silent anymore, but more or less accomplished its goal. I don't know the exact goal of this new flame virus, but stuxnet was a success since it did hinder their operations for a period of time. The fact that flame is actually older, who knows what it has been doing and collecting all this time.

it is publicly know that Obama has approved such attacks in conjunction with Israel to ramp up cyber attacks on Iran and I would not be surprised if this was part of it. Cyberattacks are part of the 'cold war' arsenal now.

From what I have read, and of course none of what has been said at all has been considered "official" even if we know it is, these attacks were basically appeasments to Israel by the US. Israel was just going to all out attack Iran's nuke facilities with bombs and missiles, so we offered an alternative approach that would be silent and embarrassing for Iran. Of course it isn't so silent anymore, but more or less accomplished its goal. I don't know the exact goal of this new flame virus, but stuxnet was a success since it did hinder their operations for a period of time. The fact that flame is actually older, who knows what it has been doing and collecting all this time.

It is going to be both funny and sad if it turns out this thing was written by some 15 year old in his parent's basement.

Brilliant 15 year-olds exist. But brilliant 15-year-olds don't follow rigorous software development practices with good clean code and modules and naming, etc. Those are things that slow down a single brilliant developer, but are necessary when you have a team working together.

Brilliant 15 year-olds exist. But brilliant 15-year-olds don't follow rigorous software development practices with good clean code and modules and naming, etc. Those are things that slow down a single brilliant developer, but are necessary when you have a team working together.

++ This has all the marks of a team of professionals. Basement hackers, even super brilliant ones, just don't do things this way.

The level of mathematical expertise certainly does. I'm just curious why the NSA would show its hand by using a brand new, unkown technique when there was an existing, known technique. Now we know what they know, which is very un-NSA-like. I guess maybe they were in a hurry.